acmesmith 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 39060c7505c4a73bfccf496d1015c69573e247b7
-  data.tar.gz: f021fc666dee39ce983143b8b42c6d89fe10e336
+  metadata.gz: bce001c8eca147fba2d1d2e0b43d30ebd175f096
+  data.tar.gz: 65fb44fdf5367fa3e6c66ecb837fd3119f07db76
 SHA512:
-  metadata.gz: 07ee7ce1383349bd7fbc93d78fe97bca3d9407df833c3d7f299d5fd17ef1307118f5e50f8c28523a131cc9756cfb858d9aa465a43850d6f86a723b8f06515fdc
-  data.tar.gz: be76cdfe37a4988c9dfdb1db3d3fb49bc16ba7fe719ae7ad588f22a1f636f74b19f9f5383464d52128055bcc83e9de7102528ba04b2df98b887b2deb157d6176
+  metadata.gz: a544bb8d9ee438806215471846bd71dd34fcd3dc0cdd38d15a130292d255c1f221492c1c129bcdb5906ac8afc5819b161296dd0b64607ad36149966f7cf23d7e
+  data.tar.gz: ecc46f9cc09ec3630d14a3052b43b51659fdaba8716e43095bc578326e7e5fc99174da54b26d80abc1579b8bb7c35e991e405a5238a38fd7c805ca985b9fa630

data/README.md

@@ -62,6 +62,14 @@ $ acmesmith save-pkcs12      COMMON_NAME --output=PATH  # Save certificate and p
 $ acmesmith autorenew [-d DAYS] # Renew certificates which being expired soon
 ```
 
+```
+# Save (or update) certificate files and key in a one command
+$ acmesmith save COMMON_NAME \
+      --version-file=/tmp/cert.txt   # Path to save a certificate version for following run 
+      --key-file=/tmp/cert.key       # Path to save a key
+      --fullchain-file=/tmp/cert.pem # Path to save a certficiate and its chain (concatenated)
+```
+
 See `acmesmith help [subcommand]` for more help.
 
 ## Configuration

data/docs/vendor/aws.md

@@ -103,4 +103,20 @@ Be sure to replace `{S3-REGION}` and `{YOUR-AWS-ACCOUNT-ID}` before applying it.
 }
 ```
 
+#### Policy for ACM post issuing hook
+
+``` json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["acm:ImportCertificate", "acm:AddTagsToCertificate"],
+      "Resource": ["*"]
+    }
+  ]
+}
+```
+
+Optionally you can limit resource to certificate ARN(s).
 

data/lib/acmesmith/client.rb

@@ -1,6 +1,8 @@
 require 'acmesmith/account_key'
 require 'acmesmith/certificate'
 
+require 'acmesmith/save_certificate_service'
+
 require 'acme-client'
 
 module Acmesmith
@@ -146,10 +148,17 @@ module Acmesmith
       certs
     end
 
-    def save_certificate(common_name, version: 'current', mode: '0600', output:)
+    def save_certificate(common_name, version: 'current', mode: '0600', output:, type: 'fullchain')
       cert = storage.get_certificate(common_name, version: version)
       File.open(output, 'w', mode.to_i(8)) do |f|
-        f.puts(cert.fullchain)
+        case type
+        when 'certificate'
+          f.puts cert.certificate.to_pem
+        when 'chain'
+          f.puts cert.chain
+        when 'fullchain'
+          f.puts cert.fullchain
+        end
       end
     end
 
@@ -178,6 +187,13 @@ module Acmesmith
       end
     end
 
+    def save(common_name, version: 'current', **kwargs)
+      cert = storage.get_certificate(common_name, version: version)
+      cert.key_passphrase = certificate_key_passphrase if certificate_key_passphrase
+
+      SaveCertificateService.new(cert, **kwargs).perform!
+    end
+
     def autorenew(days: 7, common_names: nil)
       (common_names || storage.list_certificates).each do |cn|
         puts "=> #{cn}"

data/lib/acmesmith/command.rb

@@ -6,7 +6,7 @@ require 'acmesmith/client'
 module Acmesmith
   class Command < Thor
     class_option :config, default: './acmesmith.yml', aliases: %w(-c)
-    class_option :passphrase_from_env,  type: :boolean, aliases: %w(-E), default: false, desc: 'Read $ACMESMITH_ACCOUNT_KEY_PASSPHRASE and $ACMESMITH_CERTIFICATE_KEY_PASSPHRASE for passphrases'
+    class_option :passphrase_from_env,  type: :boolean, aliases: %w(-E), default: nil, desc: 'Read $ACMESMITH_ACCOUNT_KEY_PASSPHRASE and $ACMESMITH_CERTIFICATE_KEY_PASSPHRASE for passphrases'
 
     desc "register CONTACT", "Create account key (contact e.g. mailto:xxx@example.org)"
     def register(contact)
@@ -57,10 +57,11 @@ module Acmesmith
 
     desc 'save-certificate COMMON_NAME', 'Save certificate to a file'
     method_option :version, type: :string, default: 'current'
+    method_option :type, type: :string, enum: %w(certificate chain fullchain), default: 'fullchain'
     method_option :output, type: :string, required: true, banner: 'PATH', desc: 'Path to output file'
     method_option :mode, type: :string, default: '0600', desc: 'Mode (permission) of the output file on create'
     def save_certificate(common_name)
-      client.save_certificate(common_name, version: options[:version], mode: options[:mode], output: options[:output])
+      client.save_certificate(common_name, version: options[:version], mode: options[:mode], output: options[:output], type: options[:type])
     end
 
     desc "show-private-key COMMON_NAME", "show private key"
@@ -78,6 +79,32 @@ module Acmesmith
       client.save_private_key(common_name, version: options[:version], mode: options[:mode], output: options[:output])
     end
 
+    desc 'save COMMON_NAME', 'Save (or update) certificate and key files.'
+    method_option :version, type: :string, default: 'current'
+    method_option :key_mode, type: :string, default: '0600', desc: 'Mode (permission) of the key file on create'
+    method_option :certificate_mode, type: :string, default: '0644', desc: 'Mode (permission) of the certificate files on create'
+    method_option :version_file, type: :string, required: false, banner: 'PATH', desc: 'Path to save a certificate version for following run (optional)'
+    method_option :key_file, type: :string, required: false, banner: 'PATH', desc: 'Path to save a key'
+    method_option :fullchain_file, type: :string, required: false , banner: 'PATH', desc: 'Path to save a certficiate and its chain (concatenated)'
+    method_option :chain_file, type: :string, required: false , banner: 'PATH', desc: 'Path to save a certificate chain (root and intermediate CA)'
+    method_option :certificate_file, type: :string, required: false, banner: 'PATH', desc: 'Path to save a certficiate'
+    method_option :atomic, type: :boolean, default: true, desc: 'Enable atomic file update with rename(2)'
+    def save(common_name)
+      client.save(
+        common_name,
+        version: options[:version],
+        key_mode: options[:key_mode],
+        certificate_mode: options[:certificate_mode],
+        version_file: options[:version_file],
+        key_file: options[:key_file],
+        fullchain_file: options[:fullchain_file],
+        chain_file: options[:chain_file],
+        certificate_file: options[:certificate_file],
+        atomic: options[:atomic],
+        verbose: true,
+      )
+    end
+
     desc 'save-pkcs12 COMMON_NAME', 'Save ceriticate and private key to .p12 file'
     method_option :version, type: :string, default: 'current'
     method_option :output, type: :string, required: true, banner: 'PATH', desc: 'Path to output file'

data/lib/acmesmith/save_certificate_service.rb

@@ -0,0 +1,64 @@
+module Acmesmith
+  class SaveCertificateService
+    def initialize(cert, key_mode: '0600', certificate_mode: '0644', version_file: nil, key_file: nil, fullchain_file: nil, chain_file: nil, certificate_file: nil, atomic: true, verbose: false)
+      @cert = cert
+      @key_mode = key_mode
+      @certificate_mode = certificate_mode
+      @version_file = version_file
+      @key_file = key_file
+      @fullchain_file = fullchain_file
+      @chain_file = chain_file
+      @certificate_file = certificate_file
+      @atomic = atomic
+      @verbose = verbose
+    end
+
+    attr_reader :cert
+    attr_reader :key_mode, :certificate_mode
+    attr_reader :version_file, :key_file, :fullchain_file, :chain_file, :certificate_file
+    def atomic?; !!@atomic; end
+
+    def perform!
+      if local_version == cert.version
+        return
+      end
+
+      log "Saving certificate CN=#{cert.common_name} (ver: #{cert.version})"
+
+      write_file(key_file, key_mode, cert.private_key)
+      write_file(certificate_file, certificate_mode, cert.certificate.to_pem)
+      write_file(chain_file, certificate_mode, cert.chain)
+      write_file(fullchain_file, certificate_mode, cert.fullchain)
+      write_file(version_file, certificate_mode, cert.version)
+    end
+
+    def local_version
+      @local_version ||= begin
+        if version_file && File.exist?(version_file)
+          File.read(version_file).chomp
+        else
+          nil
+        end
+      end
+    end
+
+    private
+
+    def log(*args)
+      if @verbose
+        puts *args
+      end
+    end
+
+    def write_file(path, mode, body)
+      return unless path
+      realpath = atomic? ? "#{path}.new" : path
+      File.open(realpath, 'w', mode.to_i(8)) do |io|
+        io.puts body
+      end
+      if atomic?
+        File.rename realpath, path
+      end
+    end
+  end
+end

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "0.10.0"
+  VERSION = "0.11.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0
 platform: ruby
 authors:
 - sorah (Shota Fukumori)
@@ -133,6 +133,7 @@ files:
 - lib/acmesmith/post_issuing_hooks/acm.rb
 - lib/acmesmith/post_issuing_hooks/base.rb
 - lib/acmesmith/post_issuing_hooks/shell.rb
+- lib/acmesmith/save_certificate_service.rb
 - lib/acmesmith/storages.rb
 - lib/acmesmith/storages/base.rb
 - lib/acmesmith/storages/filesystem.rb